1. Technical Field
The invention disclosed broadly relates to data processing and more particularly relates to the establishment of a trusted path between in systems with virtual terminal features.
2. Background Art
Many data processing applications involve highly confidential information such as in financial applications, national security applications, and the like where information enters the data processing system by means of a user typing that information at a user terminal connected to the system. The prior art has not provided an effective mechanism to prevent unauthorized persons or programs from reading data from a user terminal. In prior art data processing systems, the communication path between the local processor and the operating system software can either be forged or penetrated by an unauthorized program known as a Trojan horse, which can masquerade as the program with which the user intends to communicate, and can divert, replicate or otherwise subvert the security of the confidential information being input by the user at his terminal.
For national security/applications, the United States Government has established a standard by which the security of data processing systems can be evaluated, that standard having been published in "Trusted Computer System Evaluation Criteria," U.S. Department of Defense, December 1985, DoD publication number 5200.28-STD (referred to herein as DoD Standard). The DoD Standard defines a trusted computer system as a system that employs sufficient hardware and software integrity measures to allow its use for processing simultaneously a range of sensitive or classified information. A trusted computing base (TCB) is defined as the totality of protection mechanisms within a computer system, including hardware, firmware and software, the combination of which is responsible for enforcing a security policy. A TCB consists of one or more components that together enforce a unified security policy over a product or system. The ability of a TCB to correctly enforce a security policy depends solely on the mechanisms within the TCB and on the correct input by system administrative personnel of parameters such as a user's clearance, related to the security policy. A trusted path is defined by the DoD Standard as a mechanism by which a person at a terminal of a local processor can communicate directly with the trusted computing base. The trusted path mechanism can only be activated by the person or the trusted computing base and cannot be imitated by untrusted software. Trusted software is defined as the software portion of a trusted computing base.
The problem of maintaining a trusted path between a local processor and a trusted computing base in a remote processor is compounded for those operating systems which accommodate multiple users. Some examples of prior art multi-user operating systems which have not provided an effective mechanism for establishing a trusted path include UNIX (UNIX is a trademark of AT&T Bell Laboratories), XENIX (XENIX is a trademark of Microsoft Corporation) and AIX (AIX is a trademark of the IBM Corporation). UNIX was developed and is licensed by AT&T as an operating system for a wide range of minicomputers and microcomputers. For more information on the UNIX Operating System, the reader is referred to "UNIX (TM) System, Users Manual, System V," published by Western Electric Company, January 1983. A good overview of the UNIX Operating System is provided by Brian W. Kernighan and Rob Pike in their book entitled "The UNIX Programming Environment," published by Prentice-Hall (1984). A more detailed description of the design of the UNIX Operating System is to be found in a book by Maurice J. Bach, "Design of the UNIX Operating System," published by Prentice-Hall (1986).
AT&T Bell Labs has licensed a number of parties to the use of UNIX Operating System, and there are now several versions available. The most current version from AT&T is Version 5.2. Another version known as the Berkley version of the UNIX Operating System was developed by the University of California at Berkley. Microsoft Corporation has a version known under their trademark as XENIX.
With the announcement of the IBM RT PC (RT PC are trademarks of IBM Corporation), (RISC (reduced instruction set computer) technology personal computer) in 1985, IBM Corporation released a new operating system called AIX which is compatible at the application interface level with AT&T's UNIX Operating System, Version 5.2, and includes extensions to the UNIX Operating System, Version 5.2. For a further description of the AIX Operating System, the reader is referred to "AIX Operating System Technical Reference," published by IBM Corporation, 2nd Edition (September 1986).
Copending U.S. Patent Application, Ser. No. 149,446, filed Jan. 28, 1989 (now a U.S. Pat. No. 4,918,653) , by Abhai Johri and Gary Luckenbaugh entitled "A Trusted Path Mechanism for An Operating System," assigned to the IBM Corporation, is incorporated herein by reference. The Johri and Luckenbaugh application discloses a trusted path mechanism invention which guarantees that data typed by a user on a terminal keyboard is protected from any intrusion by unauthorized programs. It allows a user to create a non-forgeable and non-penetrable communication path between the user's terminal and the trusted operating system software. The user can create a trusted path by simply pressing a key, called the Secure Attention Key (SAK), on the terminal keyboard. This operation can be called when the user logs into the system in order to be sure that the user is communicating with the real login program and not a Trojan horse program masquerading as a login program, which would steal the user's password. After the user has established the trusted path, he can enter his critical data, such as a password, and can be sure that his password is not being stolen by an intruder's program. Then, after the user logs out, he can be sure that the trusted path has actually logged him out of the system so that a Trojan horse program is not capable of continuing the session started by the user.
The invention described in the Johri and Luckenbaugh application, is contained in a data processing system including a memory to which is connected a plurality of terminals, with at least one terminal including a keyboard having a Secure Attention Key. It is a method in a UNIX-type operating system for creating, in response to the Secure Attention Key, a trusted path between the terminal and a trusted shell portion of a trusted computing base which is a child process of an init process under the operating system. The method includes detecting the Secure Attention Key in a keyboard device driver connected to the keyboard and outputting from the keyboard device driver to a Secure Attention Key Signal Generator, information that the Secure Attention Key has been been detected. It further includes outputting from the Secure Attention Key Generator a SIGSAK signal to all processes operating in a process group of the terminal, terminating all of the processes in the terminal process group. The method further includes applying the SIGSAK signal to access authorization tables associated with all the device drivers interfacing with the terminal, to deny access authorization to all processes in the data processing system except the init process. The method further includes applying the SIGSAK signal to a file access table to remove all addressing information relating the device drivers interfacing with the terminal, to all processes in the data processing system except the init process. The method further includes executing a fork system call by the init process for a new child process. The method further includes executing an exec system call to overlay a trusted shell process onto the new child process, the trusted shell process having access authorization to the device drivers interfacing with the terminal and the trusted shell process having an addressing relationship defined in the file access table to the device drivers interfacing with the terminal. Thereby a trusted path is established between the terminal and the trusted shell process.
However, the trusted path approach of Johri and Luckenbaugh creates some problems when applied in a data processor which is running multiple windows or virtual terminals, since establishing the trusted path in one of the virtual terminals can destroy the concurrent sessions running in the other virtual terminals on the same processor.
Copending U.S. Patent Application, Ser. No. 820,451, filed Jan. 17, 1986 by D.C. Baker, et al, entitled "A Virtual Terminal Subsystem", assigned to IBM Corporation, is incorporated herein by reference, for its explanation of virtual terminals. Baker et al disclose a method of, and apparatus for, running several applications concurrently on a processing system. Virtual terminals are created for running the applications. However, the virtual terminals perform as though the processing system were a single terminal system. In this way, any application written for a single terminal system can run in this multiple virtual terminal environment. For interaction with one of the several applications running on this system, the real physical resources of the system are reallocated to the virtual terminal running the selected application.
Copending U.S. Patent Application, Ser. No. 820,453, filed Jan. 17, 1986 by F. H. Fatahalian, et al, entitled "Virtual Terminal Monitored Mode", assigned to IBM Corporation, is incorporated herein by reference, for its further explanation of virtual terminals. Fatahalian, et al disclose a data processing system which gives an application running on the operating system direct access to the output display. The system is operable in two modes. In the first mode, if the application displays text to the output display, the output data must go through every layer of the processing system before it reaches the output display. In the second mode, the application can output data directly to the output display without going through the many layers of the processing system. In this second mode, a buffer is defined by the application. Input data from the input devices are stored in this buffer. The application accesses the buffer for direct output to the display.
The invention disclosed and claimed herein specifically concerns providing a mechanism for establishing a trusted path in a data processor running several virtual terminals in a multi-user operating system such as UNIX, XENIX, or AIX, so that unauthorized programs are prevented from reading data in one of the virtual terminals. None of the prior art multi-user operating systems provides a mechanism for establishing a trusted path which is effective in preventing unauthorized programs from reading data from a virtual terminal.